{ "threat_severity" : "Moderate", "public_date" : "2016-02-22T00:00:00Z", "bugzilla" : { "description" : "tomcat: security manager bypass via setGlobalContext()", "id" : "1311093", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1311093" }, "cvss" : { "cvss_base_score" : "4.3", "cvss_scoring_vector" : "AV:A/AC:M/Au:N/C:P/I:P/A:N", "status" : "verified" }, "cvss3" : { "cvss3_base_score" : "6.3", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-287", "details" : [ "The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.", "A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2016-11-03T00:00:00Z", "advisory" : "RHSA-2016:2599", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "tomcat-0:7.0.69-10.el7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6", "release_date" : "2016-11-17T00:00:00Z", "advisory" : "RHSA-2016:2807", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6", "package" : "tomcat7-0:7.0.54-23_patch_05.ep6.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7", "release_date" : "2016-11-17T00:00:00Z", "advisory" : "RHSA-2016:2807", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7", "package" : "tomcat7-0:7.0.54-23_patch_05.ep6.el7" }, { "product_name" : "Red Hat JBoss Web Server 2.1", "release_date" : "2016-11-17T00:00:00Z", "advisory" : "RHSA-2016:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2.1", "package" : "tomcat7" }, { "product_name" : "Red Hat JBoss Web Server 3.0", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1089", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1087", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6", "package" : "httpd24-0:2.4.6-61.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1087", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6", "package" : "mod_security-jws3-0:2.8.0-7.GA.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1087", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6", "package" : "tomcat7-0:7.0.59-50_patch_01.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1087", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6", "package" : "tomcat8-0:8.0.18-61_patch_01.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1088", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7", "package" : "httpd24-0:2.4.6-61.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1088", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7", "package" : "mod_security-jws3-0:2.8.0-7.GA.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1088", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7", "package" : "tomcat7-0:7.0.59-50_patch_01.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1088", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7", "package" : "tomcat8-0:8.0.18-61_patch_01.ep7.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 4", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:4" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss Portal 6", "fix_state" : "Affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-0763\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-0763\nhttp://seclists.org/bugtraq/2016/Feb/147" ], "name" : "CVE-2016-0763", "csaw" : false }